Advanced NMAP (NSE Scripts)


  • PFSense/Router VM
  • Domain Controller
  • Kali VM


  • Understand how to use NSE Scripts
  • Try NSE scripts inside of the lab

Get Started

With the PFSense, Domain Controller and Kali virtual machines booted we’re going to test out a few NSE Scripts. NSE scripts allow NMAP to have additional functionality when talking to different protocols. For example, the “smb-os-discovery” script allows Nmap to identify the target operating system, and what domain it is on.


With the command below we are able to use the smb-os-discovery script.

nmap --script smb-os-discovery <target ip>

In our lab the expected output of running this against the domain controller is below.


The HTTP Title script is quite an underrated script. It simply retrieves the title of the index page of a web server. This can be extremely useful when you have to scan a large network with a number of web servers. If there was a lot of uninteresting web servers but then a Citrix environment it can quickly identify this.


nmap -p80 --script http-title <target ip>

The output of this against one of our IIS servers is below.


The DNS Brute script is one of my personal favorites. It uses a wordlist and a target domain to brute force subdomains. A script like this has the potentially to uncover administration pages, VPNs and a whole lot more. This can really change the direction of a pentest.

nmap --script dns-brute <target domain>

Further Reading

If you have any NSE Script suggestions, leave them here!